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(57) Abstract: The computer system comprises a k>caj network domain of communicating computers and a connection for ceinmu- 
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Title: Computer network protection 

The inveation relates to protection against unauthorized access to 
(copies of) files stored in a computer network. 

It is known in the present situation that in order to guarantee the 
confidentiality of electronic documents (also referred to below as **files") 
5 codes indicating which users are allowed to open the document are stored in 
a file system. Thus, for instance, this code can indicate whether only the 
author of the file has an access right or also a group to which this author 
belongs, or that everyone has an access right. When a user attempts to read 
such a file, the control system checks whether the respective user has an 

10 access right according to the codes for the requested file. Only if this is the 
case, the control system allows access. 

This form of access control has the. drawback that it is boxmd to the 
file system. This form of access control requires that users be divided 
previously into different kinds. 

15 Another form of access control is the encrs^tion of confidential files. 

Only those who have at their disposal the key required for the encryption of 
the file can get access in this way. The advantage over access codes is that 
now also all content-containing copies of the file are protected wherever they 
are. It is a drawback, however, that each time a key and decryption are 

20 required before access to the file is possible. 

For protection against computer viruses, it is known besides to make 
use of a so-called firewall for the transpoirt of files to a computer system. A 
firewall blocks the reception of files by a computer system when the file 
satisfies predetermined characteristics. A firewall, however, does not serve 

25 to keep confidential selected confidential files among files sent by the 
computer system. 
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It is, inter alia, an object of the invention to provide a computer 
system which makes it possible to selectively Hmit the access to files 
without requiring extra measures when copies are made within the 
computer system and without reqnirix^ encij^tion. 

T^e computer system according to the invention is defined in f^^f^^rn i. 
The invention makes use of a gate device in a commtmication channel 
between a network domain and an external connection such as a connection 
to the Internet. The gate device is arranged to check for the presence of a 
security tag all files sent to the external connection via the communication 
channel. Depending on the presence or absence of this security tag, the gate 
device limits the firee sending of the file to the external connection. 

In this way, a file-selective check is performed for the access 
possibilities to the file outside the network domain. Within the network 
domain, every user has access, in principle, to the file. But out of that, the 
access is limited* In this way, a domain specific protection is provided. In 
the most extreme form; the gate device blocks the sending* depending on the 
presence or absence of this security tag. In principle, the invention can be 
applied to all forms of file sending, for instance sending as part of e-mail 
protocols (SMTP), as part of file transfer protocols (FTP), as part of 
hyperlink protocols (HTTP) or any other sort of protocol. 

Preferably, all communication channels of the network domain to 
external connections are provided with such a gate device. In one 
embodiment, the gate device limits firee sending of files provided with such a 
security tag. In this way, existing or externally received files remain fireeiy 
accessible, and users can themselves ask for protection. 

The invention, however, is not limited to complete obstruction. In 
another embodiment, for instance, the gate device automatically encrypts 
all files provided with a security tag when these files are sent via the 
communication channel. In this way, protection is offered outside the 
network domain by means of encrs^ption. In yet another embodiment, the 
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secimlrsr tag is combined with an anti-tamper code which makes it 
practically impossible to remove the tag. 



^ These and other objects and advantageous aspects of the computer 
5 system accordixLg to the invention will be described in more detail with 
reference to the /following Figures* 



Figure 1 shows a computer system 
Figure 2 shows a gate device 

10 

Figiure I shows a computer system with external connections 14a, 16a, The 
computer system comprises a domain 10 containing a number of computers 
100, 102, 104, 106, 108, which are connected with each other via 
connections. Apart of the computers 100, 102, 104, 106, 108 is coimected 

15 with communication ch a nne ls 14a,b, 16a,b, which run via the e^ctemal 
connections to further computers (not shown). Located in the 
c oTuraunic ation channels 14a,b, 16a,b are gate devices 11, 12. The gate 
devices each preferably form part of a device which also has other security 
tasks such as the effectuation of a firewall etc. In use, files are stored in one 

20 or more of the computers in domain 10, which files can be read via the 

connections from all computers in the domain. These files can be provided 
with security tags. In an HTML file, the security tag could, for instance, be 
implemented by addition of a piece of text in the form of <SECURITY> 
</SECURITSr>, optionally supplemented with parameters. Of coiurse, the 

25 security tag may be supplemented in all kinds of other ways, for instance by 
addition of other sorts of codes, or by applying a watermark in the file. 
Preferably, the computer is arranged to also automatically encrypt the file 
or the important part thereof when applying the secxnrity tag. In this way. 
an extra protection is realized. 
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When a file is sent from a computer in the domain via one of the 
communication channels to one of the external connections 14a, 16a, this 
occinrs via the gate device 11 or 12. The respective gate device 11, 12 checks 
the file for the presence of the security tag before sending on the file to the 
5 external coxmection 14a, 16a. The gate device 11, 12 sends on the file only if 
it does not find the security tag. Besides, the gate device 11, 12 preferably 
stores data on the sending of the file in a log file, at least if the sending has 
been obstructed. This enables the system manager to check for breaches 
later. 

10 Figiure 2 shows an embodiment of a gate device 11 in more detail. The 

gate device 11 contains a first transceiver 20 for the local part of the 
communication channel 14b, a second transceiver 22 for the external 
connection 14a, a memory 24 and a tag detector 26. Transceivers 20, 22 are 
coupled to the memory 24. The detector 26 has an input coupled to the first 

15 transceiver 20 for the local part of the communication channel 14b and an 
.output coupled to the second transceiver 22 for the exterxial connection 14a. 

In operation, the first transceiver 20 receives messages from the local 
part of the communication channel 14b and stores these messages 
temporarily in the memory 24. The detector 26 examines the content of the 

20 message for the' presence of a file containing a security tag and sends, 
depending on a result of that examination, a command to the second 
transceiver 22. When the command purports to pass the message, the 
second transceiver 22 reads the message fi:om the memory 24 and sends the 
message to the external connection 14a. When the message is not sent on, 

25 the message is removed from the memory 24, for instance by overwriting it 
with a later message without sending on the message. 

The computers in the domain 10 are arranged to read or copy the 
respective files without a check on the security tag on all computers in the 
domain. In this way, it is possible to store and copy files in the domain 10 in 
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arbitrary places^ but imdesired or accidental sending to external connections 
14a,b outside the domain is made impossible. 

Without departing from the principle of the invention, all kiixds of 
other embodiments are, of course, possible. Thus, for instance, the gate 
device 11, 12 may exactly not send on the file when no security tag is 
present. As a result, a user may deliberately choose to protect a file :&om 
sending. 

As part of the protection^ a tamper protection may be included such 
as, for instance, a code encrypted with a private key, which code can be 
decrypted with a public key and contains a number which is a function of 
the content of the file including the security tag. Before sending the £Qe, the 
gate device may again calctdate the code, then, on the basis of the file and 
compare with the code following from the file by public key decrsrption. In 
this way, it is ensured that the security tag cannot be changed. Also, the tag 
can be included in specific sorts of files as a watermark. 

Furthermore, the gate device 11, 12, instead of not sending the file, 
may encrypt the file before sending it when the security tag indicates that 
firee sending is not allowed. If desired, it may even be indicated with 
parameters in th0 security tag which action (for instance not sending or 
sending encryptedly) the file mtist imdergo when passing the gate device 
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CLAIMS 

y 

1. A computer system, comprising 

- a local network domain of communicatix^ computers; 

- a connection for communication with an external network; 

- a gate device coupled between the local network and the connection, 

5 which gate device is arranged to check files sent from the local network to 
the connection for whether they contain a seciirity tag, and to send or not 
send on each file to the connection depending on detection of the presence or ^ 
absence of the security tag in the file. 

2. A computer system according to claim 1, wherein the gate device is 
10 arranged to block sending on of the file if the security tag is present in the 

file- 
s' A compute.r system according to claim 1 or 2, wherein the 
communicating computers are arranged to encrypt a substantial part of the 
file when providing the security tag! 

15 4. A gate device with a coupUng for connection of a local network and a 
connection for an external network, which gate device is arranged to check 
files sent firom the local network to the connection for whether they contain 
a security tag, and to send or not send on each file to the connection 
depending on detection of the presence or absence of the security tag in the 

20 file. 

5. A method for protecting information transport firom a local network to 
an external network, which method comprises the steps of 

- providing a security tag in selected files; 

- examining files sent by a gate device of the local network to the external 
2 S network for the presence of the secmity tags; 

- blocking or sending on those files in which a security tag is present* 
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